Monitoring Social Media for Security References to Your Organization

Published: 2011-05-25
Last Updated: 2011-05-26 03:38:48 UTC
by Lenny Zeltser (Version: 1)
1 comment(s)

Organizations large and small utilize social media for interacting with current and prospective customers, recruiting employees and tracking the sentiment regarding the organization's products and services. (In this context, social media includes blogs as well as social networking sites such as Facebook and Twitter.) As a security professional, you can also use social media for a related purpose: keeping track of malicious activities and threats against your organizations that attackers sometimes discuss publicly. 

If your goal is to keep an eye on social media statements or postings that merely mention your organization's name, a number of free tools can help you, including:

These tools allow you to specify the search term (such as your organization's name), and will then present you with a listing of relevant social media mentions. Some of them can send email alerts and generate RSS feeds.

The challenge comes when you have to keep an eye on the activities associated with a popular brand that is often mentioned in social media. In this case, the tools mentioned will likely overwhelm you with their findings. You'll need to be more selective when specifying your search terms, and will probably want the tool to support some form of Boolean logic.

Google Alerts is a good match for such activities. Another powerful and flexible source of data is Twitter Search. (Learned this from "JD"). Twitter is used for both curating content that's hosted elsewhere and directly expressing opinions. No wonder searching its public activity streams can be an effective way of keeping an eye on the discussions related to your organization. Best of all, the Twitter search engine supports Boolean logic--not just keyword searches. 

For instance, you may want to use Twitter to learn when someone has hacked or is planning to attack your organization. You can search it for your organization's brand name(s) and words such as "hacked", "breached", "pwned", "XSS", "SQLi", etc. If you get too much noise in the search result, consider specifying these words as hashtags by preceding them with the "#" sign.

Here's a proof-of-concept site I put together to demonstrate this technique:

To fine-tune your Twitter search terms, consider searching for the brand's security is the hot topic at the moment and identify which hashtags or terms give you the right balance of meaningful content and a low rate of false positives.

Do you have tips for searching Twitter and other sources for activities related to your brand's security? Please leave a comment below or drop us a note.

For more thoughts on social media in the context of information security, see:

-- Lenny Zeltser

Lenny Zeltser leads a security consulting team and teaches how to analyze and combat malware. He is active on Twitter and writes a daily security blog.


1 comment(s)


Of course the flip side of having these alerts is that it makes for an easy way to lure your CEO to a site with malicious content.

All one would have to do is create the site with the key flags (CEO name, Company name, etc.) and watch the logs until Google does its indexing. Once indexed by Google, post the nastyware on the site and wait for the CEO to follow the alert they get.

Diary Archives